| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
0001-pam_namespace-include-stdint-h.patch
removed since it's included in 1.6.1
Changelog:
===========
* build: fail if specified configure options cannot be satisfied.
* pam_env: fixed --disable-econf --enable-vendordir support.
* pam_unix: do not warn if password aging is disabled.
* pam_unix: try to set uid to 0 before unix_chkpwd invocation.
* pam_unix: allow empty passwords with non-empty hashes.
* Multiple minor bug fixes, build fixes, portability fixes,
documentation improvements, and translation updates.
(From OE-Core rev: 2758bc1e521270c77c768a6d9701cb15dd30ea82)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 2a194d5dd1d82f233fa28a44412aea1ba4ccd434)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Apply a backported patch
(From OE-Core rev: e4fbb97fda6fe6232df743e655d0488f2353a24e)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This came with latest libpam upgrade
../../Linux-PAM-1.5.3/examples/tty_conv.c:9:10: fatal error: 'termio.h' file not found
^~~~~~~~~~
1 error generated.
(From OE-Core rev: 00b5cbad49ccce7f2886b2e70b93e60e054f8f46)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
| |
(From OE-Core rev: ddb5e0f8a2cc7c48e1fb53b665e2fd5ed263bb19)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reproducer:
1.Enable the ptest of libpam and build the image.
2.Boot the rootfs with nfs, then run the following tests as root:
cd /usr/share/Linux-PAM/xtests
/usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd1
/usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd3
After applying this patch, the ptest doesn't be failed.
(From OE-Core rev: 549e54ad6a175359b0a57987ccdab8989df9d3a9)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows
authentication bypass for SSH logins. The pam_access.so module doesn't
correctly restrict login if a user tries to connect from an IP address
that is not resolvable via DNS. In such conditions, a user with denied
access to a machine can still get access. NOTE: the relevance of this
issue is largely limited to openSUSE Tumbleweed and openSUSE Factory;
it does not affect Linux-PAM upstream.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28321
Upstream patches:
https://github.com/linux-pam/linux-pam/commit/08992030c56c940c0707ccbc442b1c325aa01e6d
https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f
(From OE-Core rev: b1fd799af0086347de1ec4b72d562b1fb490def1)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the deprecated path to remove the systemd warning:
/etc/tmpfiles.d/pam.conf:2: Line references path below
legacy directory /var/run/, updating /var/run/console
/run/console; please update the tmpfiles.d/
(From OE-Core rev: 7865234fadf01a434d1f7097881b70905c1b8aa2)
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
/var/run in deprecated by systemd, use /run instead, as suggested by systemd.
This fixes the following systemd boot warning:
systemd-tmpfiles[340]: /etc/tmpfiles.d/pam.conf:1: Line references path
below legacy directory /var/run/, updating /var/run/sepermit →
/run/sepermit; please update the tmpfiles.d/ drop-in file accordingly.
(From OE-Core rev: 09eabeff2168c416c18b1c375e095b472830a9b0)
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport a patch to check whether files exist.
Before the patch:
# ./run-xtests.sh . tst-pam_access1
mv: cannot stat '/etc/security/opasswd': No such file or directory
PASS: tst-pam_access1
mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
==================
1 tests passed
0 tests not run
==================
After the patch:
# ./run-xtests.sh . tst-pam_access1
PASS: tst-pam_access1
==================
1 tests passed
0 tests not run
==================
(From OE-Core rev: 4903fdbace057df2e39c10aaef3440f89748eed2)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Drop patches: issues fixed upstream.
Move .pc files to correct place as libpam is instructed to install them in /lib via
--libdir.
(From OE-Core rev: b2aeaab36d7d46d47301d0729b634d182277cfbd)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
tst-pam_start_confdir needs a file called confdir and it should reside
in directory pointed by srcdir env variable, therefore copy confdir into
ptest package and export srcdir before running the ptests
(From OE-Core rev: 149d84b7eba8240737a301d0fd75b69e8a767854)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: f0de19e31122abd225bd75c6202839094194a36d)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Add ptest support.
(From OE-Core rev: 016efb82e90a56707995d2a6addd34e6b28b6b99)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: d7864a46092b8030accbc8c9a1c9055a762d69ba)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
These issues are addressed in libpam overtime and no longer needed thusly
in 1.5.x
(From OE-Core rev: 488c554623839d17436333894f9f4b244347de9d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove crypt_configure.patch, issue fixed upstream.
Remove pam-security-abstract-securetty-handling.patch and
pam-unix-nullok-secure.patch, patches coming from debian,
difficult to rebase, and their purpose is unclear.
Disable doc generation, as libpam messes up native and target
compiler options.
Adjust dependencies and packaging.
(From OE-Core rev: 43e3d014748b1ccff25c232b1e6d9345859c0f29)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
libpam does not support 'obscure' checks to password,
there are the same checks in pam_cracklib module.
And this fix can remove the below error message while
updating password with 'passwd':
pam_unix(passwd:chauthtok):unrecognized option[obscure]
(From OE-Core rev: ea761dbac90be77797308666fe1586b05e3df824)
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: 6d79a39856c1b325d0ed6f057d8eaef64e31569f)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
Remove patch applied upstream.
Upstream tarball location changed.
(From OE-Core rev: 40b1825a4434334f3513f94775b176545f8d2f3a)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 994e43acc67efeb33d859be071609daa844e9b77)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
uclibc support was removed a while ago and musl works much better. Start to
remove the various overrides and patches related to uclibc which are no longer
needed.
uclibc support in a layer would still be possible. I have strong reasons to
believe nobody is still using uclibc since patches are missing and I doubt
the metadata even parses anymore.
(From OE-Core rev: 653704e9cf325cb494eb23facca19e9f05132ffd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1.2.1 -> 1.3.0
Remove upstreamed patch:
a) pam-no-innetgr.patch
Refreshed the following patches for 1.3.0:
a) crypt_configure.patch
b) pam-unix-nullok-secure.patch
(From OE-Core rev: ac512ff9fbe41428e3d71d3e943aaa871d8b155a)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Define strndupa if not available in libc additionally fix headers
to explicitly needed include files which glibc was including indirectly
(From OE-Core rev: 24097d8bb481ed1312c45b2e93527a271f56e4be)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
libpam needs to adjust for posix utmpx
uclibc now disables utmp
Change-Id: Ibcb7cb621527f318eb8b6e2741647ccb4c6bb39c
(From OE-Core rev: e4c8a15d36d05d2b17b1dcf1d4238616c5b814f5)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"0x200" became "0200" during the upgrade to libpam 1.2.1 in:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=88dd997d9941b63ae9eead6690ecf2b785c0740c
and this broke the IMAGE_FEATURES like debug-tweaks.
I've converted all the values to octal here to match the original
header file convention and make it clearer.
[YOCTO #8033]
(From OE-Core rev: 588e19058f631a1cc78002e1969a5459cd626afb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dropped upstreamed patches(commit-id):
- add-checks-for-crypt-returning-NULL.patch(8dc056c)
- destdirfix.patch(d7e6b92)
- libpam-fix-for-CVE-2010-4708.patch(4c430f6)
Dropped backported patches(commit-id):
- pam_timestamp-fix-potential-directory-traversal-issu.patch(9dcead8)
- reflect-the-enforce_for_root-semantics-change-in-pam.patch(bd07ad3)
Forward ported patches:
- pam-unix-nullok-secure.patch
- crypt_configure.patch
(From OE-Core rev: 8683206f7ba85f693751415f896a0cc62931e3c4)
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Surfaced when building with musl This details are in patch headers
Enabel innetgr.patch for musl as well
(From OE-Core rev: 6ec229d8dec6a5978ebf6b264c332590c8be0b3a)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's not bash specific syntax in the xtests scripts:
$ cd Linux-PAM-1.1.6/xtests
# replace /bin/bash to /bin/sh and check the bashisms:
$ checkbashisms *.sh
No output
So the runtime dependency to bash could be removed.
(From OE-Core rev: 1917bf7aa74aa1b86756c73c56537db2591115e5)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2 changes:
* update format for commit log
* add Upstream-Status for patch
Multiple directory traversal vulnerabilities in pam_timestamp.c in the
pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to
create aribitrary files or possibly bypass authentication via a .. (dot
dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY
value to the check_tty funtion, which is used by the
format_timestamp_name function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2583
(From OE-Core rev: 69255c84ebd99629da8174e1e73fd8c715e49b52)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
So that sysvinit images don't warn on every login only add it to common-session
if systemd is a DISTRO_FEATURE.
[ YOCTO #3805 ]
(From OE-Core rev: 3ccb0855a7a6b147e5025855c6376747ba72986a)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
To be secure, change behavior of the OTHER entries to warn and deny
access to everything by stating pam_deny.so on all services.
(From OE-Core rev: 4ca0af699b5b4b3cf95b3e76482651949fd922ac)
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Debian patch to add a new 'nullok_secure' option to pam_unix, which
accepts users with null passwords only when the applicant is connected
from a tty listed in /etc/securetty.
The original pam_unix.so was configured with nullok_secure in
meta/recipes-extended/pam/libpam/pam.d/common-auth, but no such code
exists actually.
The patch set comes from:
http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/054_pam_security_abstract_securetty_handling
http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/055_pam_unix_nullok_secure
(From OE-Core rev: 10cdd66fe800cffe3f2cbf5c95550b4f7902a311)
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change default for user_readenv to 0 and document the
new default for user_readenv.
This fix from:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
/pam_env.c?r1=1.22&r2=1.23&view=patch
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
/pam_env.8.xml?r1=1.7&r2=1.8&view=patch
(From OE-Core rev: 871ae7a6453b3b66610fd8bbaa770c92be850e19)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Backport patches from linux-pam git repo to fix test case
tst-pam_pwhistory1 failure.
[YOCTO #4107]
(From OE-Core rev: 65e4a9f050ae588ec794808315a206d94ca7a861)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
| |
(From OE-Core rev: 3d27366f17e597380fee738f14f119d880a77985)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This make screen/tmux/etc work as intended.
(From OE-Core rev: 58731bbdbd4ab4cfd560f14758a65efdfad2e28f)
Signed-off-by: Martin Donnelly <martin.donnelly@ge.com>
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
| |
(From OE-Core rev: c39e823138cbf4210e17bdb95ca322ec0a6c8f78)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Drop include-sys-resource.patch already fixed upstream
LIC_FILE_CHKSUM change is due to deletion of space in
COPYING file see
http://git.fedorahosted.org/cgit/linux-pam.git/commit/COPYING?id=1814aec611a5f9e03eceee81237ad3a3f51c954a
(From OE-Core rev: 619092b699bfd79e060755fa41645cac7ac4fd0d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_unix_acct.c: In function '_unix_run_verify_binary':
pam_unix_acct.c:97:19: error: storage size of 'rlim' isn't known
pam_unix_acct.c:106:19: error: 'RLIMIT_NOFILE' undeclared (first use in
this function)
pam_unix_acct.c:106:19: note: each undeclared identifier is reported
only once for each function it appears in
(From OE-Core rev: e59a0bac95ce025a6b826be28ccc9e42ca4b5a29)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update libpam to 1.1.4, and add dependecy cracklib because run xtexts will
need pam-plugin-cracklib.
There are some additional checks under subdirectory xtests and make it
as a subpackage libpam-xtests.
(From OE-Core rev: f9158bf219479c2da56dd21a13ecee3176cd6f8a)
Signed-off-by: Kang Kai <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add Upstream-Status tag to patches for the following recipes:
openssh
dbus-glib
expat
opensp
sgml-common
at
cpio (GPLv3 version)
libpam
icu
(From OE-Core rev: 0702602332ad63c2cfaa207516497bb0b75bfdf3)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
| |
(From OE-Core rev: a0d441ec7c43fe1b4490c1c9b03a0cf5811109fd)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
* Removed obsolete crossbinary patch
* Added source checksums
* Added LIC_FILES_CHKSUM and SUMMARY entries
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
|
